4 Answers
4

I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.

array_walk_recursive( $_POST, 'mysql_real_escape_string' );

However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)

Thanks. Yeah I am pretty much validating every field as well. Are there holes in the escape_string function?
–
NoviceCodingJan 12 '11 at 6:15

1

Nothing will ever fully protect you. Off the top of my head I can't name any specific flaws that would concern mysql_real_escape_string. One important thing to remember is this doesn't (and shouldn't be used) to sanitize file uploads so you will need to take the necessary precautions (protecting against null byte hacks and the like).
–
PhpMyCoderJan 12 '11 at 6:20

3

-1 You should use array_walk_recursive, because this code will fail if any of your $_POST items contains an array.
–
JohanOct 2 '11 at 5:58

So you cant modify the $_POST variable itself (just wondering). Like $_POST = array_map('mysql_real_escape_string',$_POST);? Thanks for the recommendation. Second time i've heard of MySQLi to I will look into it and see how difficult it is it transfer over
–
NoviceCodingJan 12 '11 at 4:41

@NoviceCoding: You can, but it's best not to pollute superglobals.
–
BoltClock♦Jan 12 '11 at 4:42

Yes, you can overwrite the $_POST variable, but what happens when you want to use one of the original, unescaped values later on? :)
–
KevinJan 12 '11 at 4:43

Ok as far as coding etiquette I get why its a bad idea to reuse $_POST but if it meant I would have to rename every call on $_POST nothing bad would happen if I just modify $_POST instead right? Not sure how it works but $_POST resets right?
–
NoviceCodingJan 12 '11 at 4:47